Famed Hacker Guilty of 'Stealing' iPad User Data
Andrew Auernheimer, aka 'Weev,' at the beginning of his trial on Oct. 25, 2012.
CREDIT: Andrew Auernheimer/Twitter
NEWARK, N.J. — Infamous hacker Andrew Auernheimer, aka "Weev", was convicted of conspiracy to access a protected computer without authorization, a violation of the Computer Fraud and Abuse Act (CFAA), as well as fraud in connection with personal information, in United States Third Circuit Court today (Nov. 20).
Auernheimer vowed to appeal the verdict "as far as possible" and said the jury's decision was largely a byproduct of computer illiteracy among the general population.
"Hey epals don't worry!" Auernheimer wrote on his Twitter feed following the verdict. "We went in knowing there would be a guilty here. I'm appealing of course."
Before the verdict, Auernheimer was in good spirits.
"See you in 10," he joked in the courthouse elevator on his way to lunch, referring not to minutes but to the to the number of years he could be behind bars if convicted.
A decade is a long time to have hanging over your head. Still, the 27-year-old laughed with friends over a prosciutto-and-mozzarella-topped salad at a pizzeria adjacent to the courthouse. Auernheimer said he has a gluten allergy.
After lunch, Auernheimer, who is forbidden from using computer but is allowed to use mobile devices with Internet connectivity, repeatedly checked his Twitter feed to gauge reactions from friends and supporters.
After the verdict, Auernheimer's mood seemed to mellow, but his eyes remained firmly fixed to his tablet.
Auernheimer, who usually sports a large bushy beard, might have been almost unrecognizable to his fans today. He appeared in court clean-shaven in a suit and tie.
Only his well-worn dark brown corduroy Jan-Sport backpack hinted at the anti-establishment and chaotic ideals stored behind his black thick-rimmed glasses.
Anatomy of a hack that wasn't
In early June 2010, Auernheimer's friend Daniel Spitler "spoofed" the cellular IDs of 3G-data-enabled iPad ICC-IDs in order to see email addresses linked to the IDs, a security flaw made possible by a feature AT&T set up as a convenience to early adopters of 3G iPads.
Spitler realized that each iPad was encoding its own cellular ID number, or integrated circuit card (ICC) ID, in the URL, or Web address, that it used to access the AT&T website. He then found that subtly altering the cellular ID numbers in the URL would generate different email addresses on the AT&T site.
Intrigued, he wrote a computer script that ran through possible iterations of the cellular ID number, called it the "Account Slurper" and used it to harvest 114,000 email addresses posted on the AT&T site.
Spitler passed the harvested emails on to Auernheimer, who was already notorious for being an Internet "troll" and in 2008 had been profiled by the New York Times before his real name was publicly known.
Auernheimer unsuccessfully tried to shop the emails to major media outlets before handing the data to the gossip blog Gawker. By the time Gawker published the story on June 9, 2010, the flaw had been patched.
The list of harvested emails was never publicly released, and it did not lead to any identity thefts.
Both Auernheimer and Spitler were charged in January 2011, but within a few months Spitler took a plea deal and agreed to testify against Auernheimer.
Auernheimer's indictment says that Spitler "attacked" and "gained unauthorized access to" AT&T's servers to steal email addresses.
In fact, the data would have been publicly available to anyone who entered the correct URL into a Web browser. Spitler's script simply ran through the possible set of URLs.
The indictment also accuses Auernheimer of planning to profit from the theft of the emails, citing Internet relay chats among his fellow hackers that sound more like workplace banter than a nefarious conspiracy.
"If we can get a big dataset we could direct market iPad accessories," Auernheimer allegedly wrote.
On the Internet, 25 years is forever
The Computer Fraud and Abuse Act of 1986 predates the World Wide Web and makes it illegal to "access a computer without authorization or exceed authorized access from [a] protected computer."
Since the Web's development in 1991, both legal and technology experts have asserted that the law's language is so vague and overly broad that it has no real meaning.
In previous cases, three U.S. circuit courts accepted broad interpretations of the law, but two others said the law needed to be tailored.
The inconsistent rulings on the CFAA from various circuit courts indicates that the law is too hazy and that an overarching precedent may need to be set by the U.S. Supreme Court.
"Everybody here accesses a protected computer by the definition of the law," Auernheimer said while the jury was still deliberating. "The 'protected computer' is any network computer. You access a protected computer every day.
"Have you ever received permission from Google to go to Google? No. Nobody has ... Every computer with an Internet connection ... that's a pretty broad scope of protected computers."
Being a jerk isn't a crime
In closing arguments, Auernheimer's defense attorney, Tor Ekeland, said his client's biggest offense was akin to a game of "ding-dong ditch."
"Annoying?" Ekeland asked the jury. Yes. But criminal? Hardly.
Ekeland described Auernheimer as "hyperbolic" and a "blowhard" but made it very clear that he was anything but a criminal.
The prosecutor rebuffed that assertion and said Auernheimer "stole by deception" when he and Spitler spoofed the iPad ICC IDs in order to retrieve their corresponding email addresses.
Ekeland pointed out though, that the ICC codes, unique identifying numbers found on the SIM cards inside cellular-enabled iPads, are not security mechanisms the same way a computer password or PIN are.
He argued that ICCs are simply used for identification purposes — the equivalent of a serial number on a dishwasher, Ekeland said.
Again, the prosecution differed, pointing to the fact that ICC IDs are longer than Social Security numbers. The prosecutor accused Auernheimer of "impersonating" an iPad in order to gain access to AT&T's servers.
Killing the messenger?
The prosecution's argument ultimately convinced the jury, but Auernheimer still thought it was absurd.
"Adding one to a number cannot be impersonation," Auernheimer countered outside of the courtroom. "That's a ridiculous argument. That's like page numbers in a book."
Even top AT&T security personnel said the incident wasn't a big deal, according to an email which the defense presented as evidence.
"R. David Halsey from AT&T used the words, 'There was no security bypass,'" Auernheimer reiterated. "It can't be clearer than that. The definition of 'unauthorized access' has to include the bypass of security measures."
It was the government, not AT&T, that pressed charges, Auernheimer said.
For giving the press email addresses that his friend collected on the Web, Auernheimer could go to jail for a longer than some violent convicts.
"Don't be dumb and try to fight things and make things better here like I did," he said.
Had he been acquitted, Auernheimer said he would have liked to visit family abroad and "probably not come back for a while."
"They love to kill messengers in this country," he said. "This has been a very hazardous place to hold an unpopular political opinion for four decades now really, and it ain't getting any better."